Hi I was wondering if anyone can help me out with an odd dns problem I'm having. For some reason our DNS appears to be getting corrupted and random sites resolve to the following ip address: 212.69.172.16 which is a webpage that says just the following text: Willkommen am Weiterleitungsserver, Die Webweiterleitung ist noch nicht eingerichtet. (the german translates to basically, welcome to the forward server, the forwarding isn't done yet, pretty harmless, but when websites start going to a plain german website I got a lot of calls) Sometimes it redirects to: http://212.69.172.16/forward.php Which talks about how my DNS may have been attacked or have a wrong configuration, but doesn't give any more info beyond that. Our DNS servers are running win2k DNS. Upon looking at the event viewer I'm getting a lot of messages saying "event id: 5504, The DNS server encountered an invalid domain name in a packet from x.x.x.x. The packet is rejected." It seems as though I'm being attacked and someone may be messing with my DNS cache. How, I don't know. These messages are coming from the following ip addresses: 63.239.93.60 63.239.93.61 66.60.156.146 All of which appear to belong to the University of New Haven. I tried contacting them via email but all addresses to newhaven.com appear to fail. I have contacted upstream people, awaiting response. That last ip address 66.60.156.146 worries me that someone is messing around because it lists courses having to do with firewalls, viruses, and cyberterrorism (gah!). I'm running snort, but it hasn't seemed to pick up anything unusual. I tried running tcpdump on our firewall to try and see what's going on. Unfortunately I'm not very experienced with reading tcpdump output, so I don't quite know whats going on: tcpdump -vvne src host 66.60.156.146 or 63.239.93.60 or 63.239.93.61 13:37:48.274749 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195: 66.60.156.146.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 53, id 17536) 13:37:48.274865 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 66.60.156.146.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) [tos 0x10] (ttl 52, id 17536) 13:37:48.314866 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195: 63.239.93.61.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 39714) 13:37:48.314972 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.61.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 39714) 13:37:52.339289 eth0 < 0:0:c:3d:e5:60 0:0:0:0:0:1 ip 195: 63.239.93.60.domain > EXTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 57, id 16316) 13:37:52.339350 eth2 > 0:0:0:0:0:0 0:4:ac:36:d6:2b ip 195: 63.239.93.60.domain > INTERNALIP.1063: 14308*- q: all.net. 5/0/0 all.net. MX all.net. 0, all.net. A 204.181.12.215, all.net. PTR www.all.net., all.net. PTR localhost., all.net. (153) (ttl 56, id 16316) Clearing the DNS cache solves the problem, but it started to creep back in, so I've blocked all traffic from those ip addresses to see if that stops it from happening again. Any insight would be greatfully appreciated. Thanks! - Anthony Buser ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 18:26:48 PST